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Abstract 

Alice seeks an information-theoretically secure source of private random data. Un- 
fortunately, she lacks a personal source and must use remote sources controlled by other 
parties. Alice wants to simulate a coin flip of specified bias a, as a function of data she 
receives from p sources; she seeks privacy from any coalition of r of them. We show: If 
p/2 < r < p, the bias can be any rational number and nothing else; if < r < p/2, the 
bias can be any algebraic number and nothing else. The proof uses projective varieties, 
convex geometry, and the probabilistic method. Our results improve on those laid out 



by Yao, who asserts one direction of the r = 1 case in his seminal paper Yao82 . We 
also provide an application to secure multiparty computation. 



1 Introduction 

Alice has a perfectly fair penny — one that lands heads exactly 50% of the time. Unfortu- 
nately, the penny is mixed in with a jar of ordinary, imperfect pennies. The truly fair penny 
can never be distinguished from the other pennies, since no amount of experimentation can 
identify it with certainty. Still, Alice has discovered a workable solution. Whenever she 
needs a fair coin flip, she flips all the pennies and counts the Lincolns; an even number 
means heads, and an odd number means tails. 

Alice's technique is an example of "robust coin flipping." She samples many random 
sources, some specified number of which are unreliable, and still manages to simulate a 
desired coin flip. Indeed, Alice's technique works even if the unreliable coin flips somehow 
fail to be independent. 

Bob faces a sort of converse problem. He's marooned on an island, and the nearest 
coin is over three hundred miles away. Whenever he needs a fair coin flip, he calls up 
two trustworthy friends who don't know each other, asking for random equivalence classes 
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modulo two. Since the sum of the classes is completely mysterious to either of the friends, 
Bob may safely use the sum to make private decisions. 

Bob's technique seems similar to Alice's, and indeed we shall see that the two predica- 
ments are essentially the same. We shall also see that the story for biased coin flips is much 
more complex. 

1.1 Preliminaries and Definitions 

Informally, we think of a random source as a (possibly remote) machine capable of sampling 
from certain probability spaces. Formally, a random source is a collection C of probability 
spaces that is closed under quotients. That is, if X £ C and there is a measure-preserving 
map2 X — > Y, then Y £ C. Random sources are partially ordered by inclusion: We say 
that C is stronger than V iff C D V. 

The quotients of a probability space X are precisely the spaces a person can model with 
X. For example, one can model a fair coin with a fair die: Label three of the die's faces 
"heads" and the other three "tails." Similarly, one can model the uniform rectangle [0, l] 2 
with the uniform interval [0, 1]: Take a decimal expansion of each point in [0, 1], and build 
two new decimals, one from the odd- numbered digits and one from the even- numbered 
digits^] Thus, forcing C to be closed under quotients is not a real restriction; it allows us 
to capture the notion that "a fair die is more powerful that a fair coin."|^] 

We define an infinite random source to be one that contains an infinite spacej^] A 
finite random source, on the other hand, contains only finite probability spaces. Further, 
for any set of numbers S, we define an S-random source to be one which is forced to take 
probabilities in S. That is, all the measurable sets in its probability spaces have measures 
in S. 

Sometimes we will find it useful to talk about the strongest random source in some 
collection of sources. We call such a random source full-strength for that collection. For 
instance, a full-strength finite random source can model any finite probability space, and a 
full-strength S-random source can model any S-random source. 

In practice, when p people simulate a private random source for someone else, they 
may want to make sure that privacy is preserved even if a few people blab about the 
data from their random sources or try to game the system. Define an r-robust function 
of p independent random variables to be one whose distribution does not change when 
the joint distribution of any r of the random variables is altered. Saying that p people 
simulate a random source r-robustly is equivalent to asserting that the privacy of that 
source is preserved unless someone learns the data of more than r participants. Similarly, 
to simulate a random source using p sources, at least q of which are working properly, Alice 
must run a {p — g)-robust simulation. 

By a robust function or simulation, we mean a 1-robust one. 

1 A measure-preserving map (morphism in the category of probability spaces) is a function for which the 
inverse image of every measurable set is measurable and has the same measure. Any measure-preserving 
map may be thought of as a quotient "up to measure zero." 

2 In fact, this defines an isomorphism of probability spaces between the rectangle and the interval. 

3 It would also be natural (albeit unnecessary) to require that C is closed under finite products. 

4 An infinite space is one that is not isomorphic to any finite space. A space with exactly 2012 measurable 
sets will always be isomorphic to a finite space, no matter how large it is as a set. 
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We use J to denote the all-ones tensor of appropriate dimensions. When we apply J to 
a vector or hypermatrix, we always mean "add up the entries." 

1.2 Results 

This paper answers the question "When can a function sampling from p independent ran- 
dom sources be protected against miscalibration or dependency among p — q of them?" 
(Alice's predicament), or equivalently, "When can p people with random sources simulate 
a private random source for someone els^] in a way that protects against gossip among any 
p — q of them?" (Bob's predicament). In the first question, we assume that at least q of the 
sources are still functioning correctly, but we don't know which. In the second question, 
we assume that at least q of the people keep their mouths shut, but we don't know who. 
In the terminology just introduced, we seek a (p — ^-robust simulation. 

Consider the case of p full-strength finite random sources. We prove: If 1 < q < p/2, the 
people may simulate any finite Q-random source and nothing better; if p/2 < q < p, they 
may simulate any finite Q-random source and nothing better. The proof uses projective 
varieties, convex geometry, and the probabilistic method. We also deal briefly with the case 
of infinite random sources, in which full-strength simulation is possible, indeed easy (see 
Appendix [C]) . 

1.3 Yao's robust coin flipping 

Our work fits in the context of secure multiparty computation, a field with roots in A. C. 



Yao's influential paper |Yao82 . In the last section of his paper, entitled "What cannot be 



done?" , Yao presents (a claim equivalent to) the following theorem: 

Theorem 1 (A. C. Yao). Alice has several finite random sources, and she wants to generate 
a random bit with bias a. Unfortunately, she knows that one of them may be mis calibrated, 
and she doesn't know which one. This annoyance actually makes her task impossible if a 
is a transcendental number. 

It does not not suffice for Alice to just program the distribution (a 1 — a) into one of the 
random sources and record the result; this fails because she might use the miscalibrated 
one! We require — as in our jar of pennies example — that Alice's algorithm be robust enough 
to handle unpredictable results from any single source. 

Unfortunately, Yao provides no proof of the theorem, and we are not aware of any in 
the literature. Yao's theorem is a special case of the results we described in the previous 
section. 



2 Simulating finite random sources 

The following result is classical. 

Later, we give an application to secure multiparty computation in which the output of the simulated 
random source has no single recipient, but is utilized by the group without any individual gaining access; 
see Section |3l 
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Proposition 2. Ifp players are equipped with private d-sided dice, they may (p— 1) -robustly 
simulate a d-sided die. 



Proof. We provide a direct construction. Fix a group G of order d (such as the cyclic group 
Z/dZ). The i th player uses the uniform measure to pick gi E G at random. The roll of the 
simulated die will be the product gig2 • • • g p . 

It follows from the G-invariance of the uniform measure that any p-subset of 

(1) {91,92, -,9p,gi92---9p} 

is independent! Thus, this is a (p — l)-robust simulation. □ 

For an example of this construction, consider how Alice and Bob may robustly flip a coin 
with bias 2/5. Alice picks an element a E Z/5Z, and Bob picks an element b E Z/5Z; both 
do so using the uniform distribution. Then, a, b, and a + b are pairwise independent! We 
say that the coin came up heads if a + b E {0, 1} and tails if a + b E {2, 3, 4}. 

This construction exploits the fact that several random variables may be pairwise (or 
(p — l)-setwise) independent but still dependent overall. In cryptology, this approach goes 



back to the one-time pad. Shamir Sha79| uses it to develop secret-sharing protocols, 



and these are exploited in multiparty computation to such ends as playing poker without 
cards |GM82[|GMW87 . 



Corollary 3. If p players are equipped with private, full-strength finite Q-random sources, 
they may (p — 1) -robustly simulate a private, full-strength finite Q-random source for some 
other player. 

Proof. Follows from Proposition[2]because any finite rational probability space is a quotient 
of some finite uniform distribution. □ 



2.1 Cooperative numbers 

We define a useful class of numbers. 

Definition 4. If p people with private full-strength finite random sources can robustly sim- 
ulate a coin flip with bias a, we say a is p- cooperative. We denote the set of p-cooperative 
numbers by <£(p). 

The ability to robustly simulate coin flips of certain bias is enough to robustly simulate any 
finite spaces with points having those biases, assuming some hypotheses about <t(p) which 
we will later see to be true. 

Lemma 5. Suppose that, if a, a' E £(p) and a < a', then a/a' E £{p). If p people have 
full- strength finite random sources, they can robustly simulate precisely finite <£{p)-random 
sources. 

Proof. Clearly, any random source they simulate must take p-cooperative probabilities, 
because any space with a subset of mass a has the space (a 1 — a) as a quotient. 
In the other direction, consider a finite probability space with point masses 

(2) ( ai «2 • • • «n ) 



4 



in Robustly flip a coin of bias a±. In the heads case, we pick the first point. In the 

tails case, we apply induction to robustly simulate 

(3) ( a 2 /(l-ai) ••• a n /(l-ai) ). 

This is possible because 1 — a\ G £(p) by symmetry, and so the ratios aj/(l — a\) G C(p) 
by assumption. □ 

2.2 Restatement using multilinear algebra 

Consider a {heads, tailsj-valued function of several independent finite probability spaces 
that produces an a-biased coin flip when random sources sample the spaces. If we model 
each probability space as a stochastic vector — that is, a nonnegative vector whose coordi- 
nates sum to one — we may view the product probability space as the Kronecker product 
of these vectors. Each entry in the resulting tensor represents the probability of a certain 
combination of outputs from the random sources. Since the sources together determine the 
flip, some of these entries should be marked "heads," and the rest "tails." 

For instance, if we have a fair die and a fair coin at our disposal, we may cook up some 
rule to assign "heads" or "tails" to each combination of results: 
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If we want to calculate the probability of heads, we can substitute 1 for H and for T in 
the last matrix and evaluate 
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This framework gives an easy way to check if the algorithm is robust in the sense of Yao. If 
one of the random sources is miscalibrated (maybe the die is a little uneven) , we may see 
what happens to the probability of heads: 
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It's unaffected! In fact, defining 



/ 1 \ 



(7) 



we see that letting j3^> 
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) and /3( 2 ) = ( \ \ ) gives us 



(8) A(>),* (2) ) = \ 

for all x^ and x^ of mass one. These relations express Yao's notion of robustness; in- 
deed, changing at most one of the distributions to some other distribution leaves the result 
unaltered. As long as no two of the sources are miscalibrated, the bit is generated with 
probability 1/2. 

If a denotes the bias of the bit, we may write the robustness condition as 

A(x^\^) = aj(x<»,P®) 

(9) A(>),x (2) ) = aj(/3«,x (2) ) 

since the /?W both have mass one. (Here as always, J stands for the all-ones tensor of 
appropriate dimensions.) These new equations hold for all s«, by linearity. Subtracting, 
we obtain 

= {aJ-A)(x^\fi^) 

(10) = (aJ- A) (/3«,x( 2 >) 

which says exactly that the bilinear form (a J — A) is degenerate, i.e., that 

(11) Det(aJ - A) = of\ 

These conditions seem familiar: Changing the all-ones matrix J to the identity matrix / 
would make a an eigenvalue for the left and right eigenvectors By analogy, we call 

a a mystery-value of the matrix A and the vectors fi® mystery-vectors. Here's the full 
definition: 

Definition 6. A p-linear form A is said to have mystery-value a and corresponding 
mystery-vectors /JW when, for any 1 < j < p, 

(12) = ( a J- A) . . . ,^ j ~ 1 \x {j \l5 {j+1) , . . . ,/3^) for all vectors . 

We further require that J(f3^) ^ 0. 

6 If the matrix {a J — A) is not square, this equality should assert that all determinants of maximal square 
submatrices vanish. 
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We will see later that these conditions on (a J — A) extend the notion of degeneracy 
to multilinear forms in general. This extension is captured by a generalization of the 
determinant — the hyperdeterminant Q Hyperdeterminants will give meaning to the state- 
ment Det(a J — A) = 0, even when A is not bilinear. 

This organizational theorem summarizes our efforts to restate the problem using mul- 
tilinear algebra. 

Theorem 7. A function from the product of several finite probability spaces to the set 
{H, T} generates an a-biased bit robustly iff the corresponding multilinear form has mystery- 
value a with the probability spaces as the accompanying mystery-vectors. 

We may now show the equivalence of robustness and privacy more formally. Privacy requires 
that (aJ - A) remains zero, even if one of the distributions in the tensor product 

collapses to some point mass, that is, to some basis vector This condition must hold for 
all basis vectors, so it extends by linearity to Yao's robustness. 

2.3 Two players 

The case p = 2 leaves us in the familiar setting of bilinear forms. 

Proposition 8 (Uniqueness). Every bilinear form has at most one mystery-value. 

Proof. Suppose a and a' are both mystery-values for the matrix A with mystery-vectors 
/3W and f}( l > , respectively. We have four equations at our disposal, but we will only use 
two: 



A(x^\^) = a 

(13) A^y,x^ = a' 

We observe that a compromise simplifies both ways: 

(14) a = A^y,^=a', 

so any two mystery- values are equal. □ 

Corollary 9. Two players may not simulate an irrationally-biased coin. 

Proof. Say the {0, l}-matrix A has mystery- value a. Any field automorphism a £ Gal(C/Q) 
respects all operations of linear algebra, so c(a) is a mystery-value of the matrix o~(A). But 
the entries of A are all rational, so o~(A) = A. Indeed, a(a) must also be a mystery-value 
of A itself. By the uniqueness proposition, a(a) = a. Thus, a is in the fixed field of every 
automorphism over Q and cannot be irrational. □ 



7 Hyperdeterminants were first introduced in the 2x2x2 case by Cayley Cay45 , and were denned in 



full generality and studied by Gelfand, Kapranov, and Zelevinsky GKZ94 Chapter 14]. 

8 That is, the simulated bit remains a "mystery" to each player, even though she can see the output of 
her own random source. 
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Theorem 10. £(2) = Qn[0, 1]. Two people with finite random sources can robustly simulate 
only Q-random sources; indeed, they can already simulate a full-strength finite Q-random 
source if they have full-strength finite Q-random sources. 

Proof. The previous corollary shows that no probability generated by the source can be 
irrational, since it could be used to simulate an irrationally-biased coin. The other direction 
has already been shown in Corollary [3| □ 

Proposition 11. If p people have full-strength finite Q-random sources, they may (p — 1)- 
robustly simulate any finite Q-random source. 



Proof. Follows from Proposition[2]just as the constructive direction of Theorem 10 does. □ 



2.4 Three or more players: what can't be done 

Even if three or more players have private finite random sources, it remains impossible 
to robustly simulate a transcendentally-biased coin. The proof makes use of algebraic 
geometry, especially the concept of the dual of a complex projective variety. We describe 
these ideas briefly in Appendix |A| For a more thorough introduction, see Har92, Lec. 14, 
15, 16] or [GKZ94[ Ch. 1]. 

Let A be a rational multilinear functional of format n\ X • • • X n p (see Section A.2), and 



let X be the Segre variety of the same format. Set n := n\ ■ ■ ■ n p — 1, the dimension of the 
ambient projective space where X lives. In what follows, we prove that A has algebraic 
mystery-values. This is trivial when A is a multiple of J, and for convenience we exclude 
that case. 

Proposition 12. Let A have mystery-value a with corresponding mystery-vectors 
Define f3 = <%>/3^, and let 03 denote the hyperplane of elements of (P n )* that yield zero 



when applied to (3. Now (23, (a J — A)) is in the incidence variety Wx^ (see Section A.l ) 
Proof. By the biduality theorem |31[ the result would follow from the statement, 
(15) "The hyperplane {x : (a J - A)(x) = 0} is tangent to X at /3." 



But this statement is true by the partial derivatives formulation (Definition 32) of the 



degeneracy of (a J — A). □ 



It is a standard fact (see e.g. Mum95, p. 6]) that any variety has a stratification into 
locally closed smooth sets. The first stratum of X y is the Zariski-open set of smooth points 
of the variety. This leaves a subvariety of strictly smaller dimension, and the procedure 
continues inductively. Equations for the next stratum may be found by taking derivatives 
and determinants. 

Since X v itself is defined over Q, it follows that each of its strata is as well. We conclude 
that there must be some subvariety S C X v , defined over Q, that contains (a J — A) as a 
smooth point. 

Theorem 13. Any mystery-value of A must be an algebraic number. 



S 



Proof. Let A' = aJ — A, and let £ be the unique projective line through A and J. Let A 
be some open affine in (P n )* containing A' and J. The hyperplane 23 n A is the zero locus 
of some degree one regular function / on A. On £ n A, this function will be nonzero at J 
(since J ((3) 7^ 0), so / is linear and not identically zero. It follows that f(A) = is the 
unique zero of / on £, occurring with multiplicity one. Thus, the restriction of / to the 
local ring of £ at A' is in the maximal ideal but not its square: 

(16) / / £ me/mj = T A ,(£) where denotes the maximal ideal in O^a 1 - 

On the other hand, Proposition |12| shows that (OS, A') £ W^v. Consequently, 23 must be 
tangent to S, that is, / restricted to S is in the square of the maximal ideal of the local 
ring of S at A': 

(17) / = G ms/vXg = T^i(S) where ms denotes the maximal ideal in Os,A'- 

The function / must be zero in the cotangent space of the intersection S D I since the 
inclusion S n I <->■ 5 induces a surjection 

(is) ri,(S)^ri,(sru), 

so the corresponding surjection 

(19) T* A ,{£) ^T%{Sr\£) 

must kill /. This first space is the cotangent space of a line, hence one dimensional. But 
/ is nonzero in the first space, so the second space must be zero. It follows that S n £ is a 
zero dimensional variety. 

Of course, [a : 1] lies in S n £, which is defined over Q! The number a must be 
algebraic. □ 

Therefore, the set of p-cooperative numbers is contained in Qn[0, 1], and we have established 
the following proposition: 

Proposition 14. If several people with finite random sources simulate a private random 
source for someone else, that source must take probabilities in Q. 



2.5 Three players: what can be done 

We prove that three players with private full-strength finite random sources are enough to 
simulate any private finite Q-random source. First, we give a construction for a hypermatrix 
with stochastic mystery-vectors for a given algebraic number a, but whose entries may be 
negative. Next, we use it to find a nonnegative hypermatrix with mystery- value (a + r)/s 
for some suitable natural numbers r and s. Then, after a bit of convex geometry to "even 
out" this hypermatrix, we scale and shift it back, completing the construction. 

Remark 15. Our construction may easily be made algorithmic, but in practice it gives 
hypermatrices that are far larger than optimal. An optimal algorithm would need to be 
radically different to take full advantage of the third person. The heart of our construction 



(see Proposition 18) utilizes 2 X (n + 1) x (n + 1) hypermatrices, but the degree of the 



hyperdeterminant polynomial grows much more quickly for (near-) diagonal formats \GKZ94 



Ch. I4.J. We would be excited to see a method of producing (say) small cubic hypermatrices 
with particular mystery-values. 
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2.5.1 Hypermatrices with cooperative entries 



Recall that a {heads, tailsj-function of several finite probability spaces may be represented 
by a {1, 0}-hypermatrix. The condition that the entries of the matrix are either 1 or is 
inconvenient when we want to build simulations for a given algebraic bias. Fortunately, 
constructing a matrix with cooperative entries will suffice. 

Lemma 16. Suppose that A is a p- dimensional hypermatrix with p-cooperative entries 
in [0,1] and stochastic mystery-vectors (3^\ . . . , (3^ for the mystery-value a. Then, a is 
p-cooperative. 

Proof. Let the hypermatrix A have entries W\, W2, ■ ■ ■ , w n . Each entry is p-cooperative, 
so it is the mystery-value of some p-dimensional {0, l}-hypermatrix with associated 
stochastic mystery- vectors P>u\ n , ■ ■ ■ , /^i ■ We now build a {0, l}-hypermatrix A' with 
a as a mystery-value. The hypermatrix A' has blocks corresponding to the entries of A. 
We replace each entry Wi of A with a Kronecker product: 

(20) Wi becomes J\ ® J% ® • • • <g) Jj_i ® A{ ® Jj + i ® • • • ® J n . 

It is easy to check that the resulting tensor A' has a as a mystery- value with corresponding 
mystery- vectors ® ffi ® $ <g> • • • <g> ■ □ 

Because rational numbers are 2-cooperative, this lemma applies in particular to rational 
p-dimensional hypermatrices, for p > 2. In this case and in others, the construction can be 
modified to give an A' of smaller format. 

Readers who have been following the analogy between mystery-values and eigenval- 



ues will see that Lemma 16 corresponds to an analogous result for eigenvalues of matrices. 
Nonetheless, there are striking differences between the theories of mystery-values and eigen- 
values. For instance, we are in the midst of showing that it is always possible to construct 
a nonnegative rational hypermatrix with a given nonnegative algebraic mystery-value and 
stochastic mystery- vectors. The analogous statement for matrix eigenvalues is false, by 
the Perron-Frobenius theorem: any such algebraic number must be greater than or equal 
to all of its Galois conjugates (which will also occur as eigenvalues). Encouragingly, the 
inverse problem for eigenvalues has been solved: Every "Perron number" may be realized 



as a "Perron eigenvalue" [Lin84 . Our solution to the corresponding inverse problem for 
mystery-values uses different techniques. It would be nice to see if either proof sheds light 
on the other. 



2.5.2 Constructing hypermatrices from matrices 

Proposition 17. If X is a real algebraic number of degree n, then there is some M £ M n (Q) 
having A as an eigenvalue with non-perpendicular positive left and right eigenvectors. 

Proof. Let / £ Q[x] be the minimal polynomial for A over Q, and let L be the companion 
matrix for /. That is, if 

n-l 

(21) f{x) =x n + J2 a k xk fOT «fe e Q, 

k=0 
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The polynomial / is irreducible over Q, so it has no repeated roots in C. The matrix L 
is therefore diagonalizable, with diagonal entries the roots of /. Fix a basis for which L is 
diagonal, with A in the upper-left entry. In this basis, the right and left eigenvectors, v$ and 
Wo, corresponding to A are zero except in the first coordinate. It follows that vo(wo) ^ 0. 

The right and left eigenvectors may now be visualized as two geometric objects: a real 
hyperplane and a real vector not contained in it. It's clear that GL n (R) acts transitively 
on the space S := {(v, w) G (W 1 )* x R n : v(w) = vo(wq)}. Moreover, GL n (Q) is dense 
in GL n (R), so the orbit of (vo,Wo) under the action of GL n (Q) is dense in S. The set of 
positive pairs in S is non-empty and open, so we may rationally conjugate L to a basis 
which makes i>o and wq positive. □ 

Proposition 18. If A is real algebraic, then there exist integers r > 0, s > such that 
(\ + r)/s e £(3). 

Proof. By Proposition|17[ there is a rational nxn matrix M with non-perpendicular positive 
right and left eigenvectors v, w for the eigenvalue A. Rescale w so that v(w) = 1, and choose 
an integer q > m&x{J(v), J(w)}. Define the block 2 x (n + 1) x (re + 1) hypermatrix 



/ 



(23) 



A 



V 






••• 


1 


1 ••• 1 







1 






q 2 M 




q 2 (M — I) + J 







1 





\ 



J 



where I and J are the nxn identity and all-ones matrices, respectively. Consider A as 
a trilinear form, where the metacolumns correspond to the coordinates of the first vector, 
the rows the second, and the columns the third. Define the block vectors 



(24) 
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J(v)/q 

J(w)/q 



vx/q 
wx/q 



v 2 /q 
w 2 /q 



v n /q) , and 
w n /q ) ■ 



Clearly, these are all probability vectors. It's easy to verify that 

^(xW,/3( 2 ),/?( 3 )) = Aj(xW), 
A^\x( 2 \^) = AJ(>)), and 
(25) A^ l \^\x^) = AJ(V 3 )). 
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Choose a nonnegative integer r large enough so that all the entries of A + rJ are positive, 
and then a positive integer s so that all the entries of A' := (A + rJ)/s are between and 
1. 



(26) 



A' (xW,?®,?® 
A' (/3«x (2) ,/3 (3) 
A' (pW,pW,xW 



A + r 
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By Lemma 16, it follows that (A + r)/s is 3-cooperative. 



□ 



2.5.3 Finishing the Proof 

The following lemma, which we we prove later, enables us to complete the goal of this 
section: to classify which private random sources three or more people can simulate. 

Lemma 19 (Approximation lemma). Let a be a p- cooperative number. Now for any e > 

there exists a p- dimensional rational hypermatrix whose entries are all within e of a, having 
a as a mystery-value with stochastic mystery-vectors. 

Theorem 20. £(p) = Qn [0, 1] for each p>3. 

Proof. Certainly and 1 are 3-cooperative. Let a be an algebraic number in (0, 1). By 



Proposition 18, there are integers r > 0, s > so that (a + r)/s is 3-cooperative. Let 
e := (min{a, 1 — a}) /s. 

By Proposition|19[ there is some three-dimensional rational hypermatrix A whose entries 
are all within e of (a + r)/s, having (a + r)/s as a mystery- value with stochastic mystery- 
vectors. Then, sA — r J is a three-dimensional rational hypermatrix with entries between 
and 1, having a as a mystery- value with stochastic mystery- vectors. By Lemma 16, a is 
3-cooperative. 

We already showed that all cooperative numbers are algebraic. Thus, for p > 3, 
(27) Qn[0,l]C£(3)CC(p)CQn[0,l], 

so£(p) = Qn[0,l]. □ 

In conclusion, we have the following theorem. 

Theorem 21. Three or more people with finite random sources can robustly simulate only 
Q-random sources. Indeed, if they have full-strength finite Q-random sources, they can 
already robustly simulate a full-strength finite Q-random source. 



2.5.4 Proof of the approximation lemma 

The proof that follows is a somewhat lengthy "delta-epsilon" argument broken down into 
several smaller steps. As we believe our construction of a hypermatrix with mystery-value 
a to be far from optimal, we strive for ease of exposition rather than focusing on achieving 
tight bounds at each step along the way. 
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Recall that a finite probability space may be usefully modeled by a positive^] vector of 
mass one. Let (3 be such a vector. We denote by jf{3 the number of coordinates of f3 . We 
say j3' is a refinement of (3 when f3 is the image of a measure-preserving map from (3'\ that 
is, when the coordinates of (3' may be obtained by splitting up the coordinates of (3. 

The following easy lemma states that any positive vector of unit mass can be refined in 
such a way that all the coordinates are about the same size. 

Lemma 22 (Refinement lemma). Let (3 be a positive vector of total mass 1. For any 5 > 
there exists a refinement (3' of (3 with the property that 

(28) min/3' > 1 ~ " 



Proof. Without loss of generality, assume that (3\ is the smallest coordinate of f3. Let 
7 = /3i <5, and let k = #/3. The vector (3 is in the standard open /c-simplex 

(29) A k = {positive vectors of mass 1 and dimension k}. 
The rational points in A k are dense (as in any rational polytope), and 

(30) U := {x G A k : (V») |A — a?«| < 7 and < x x } 

is an open subset of the simplex. So U contain a rational point (tt> • • • > with n = ^ n^. 
Thus, Ift-^l < 7 and ft < ^, so ' 



(31) 



A _ 1 
n 7 - n 



7 7 7 5 
< — < — < — = -. 
rtj n\ f3jn n 



Let /3' be the refinement of (3 obtained by splitting up into m equal-sized pieces. We 
have #/3' = n, and the claim follows from this last inequality. □ 

Remark 23. The best general bounds on the smallest possible $=f3' given (3 and 5 are not 
generally known, but fairly good bounds may be obtained from the multidimensional version 



of Dirichlet 's theorem on rational approximation, which is classical and elementary Dav54 
Actually calculating good simultaneous rational approximations is a difficult problem, and 
one wishing to make an algorithmic version of our construction should consult the literature 



on multidimensional continued fractions and Farey partitions, for example, [Lag82, NS06J. 



The next proposition is rather geometrical. It concerns the nxn matrix S$ := (1 — 5)(J/n) + 
SI, which is a convex combination of two maps on the standard simplex: the averaging map 
and the identity map. Each vertex gets mapped almost to the center, so the action of Sg can 
be visualized as shrinking the standard simplex around its center point. The proposition 
picks up where the refinement lemma left off: 



Proposition 24. If a stochastic vector {3 satisfies 

1-6 



(32) min ft > 



then its image under the map S s 1 is still stochastic. 
9 We may leave out points of mass zero. 
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Proof. First note that [(1 - 5) (J/#/3) + 61} [(1 - 1/5) («//#/?) + {1/6)1} = I, so we have 
an explicit form for S^ 1 . We know that minj /%>(! — 6)/#/3, so the vector 



(33) 



£7 



is still positive. Now (3 = (1 — 5) (J/#/3) + 5E, a convex combination of two positive vectors. 
The vector /3 has mass 1, and (J/#/3) as well, so E also has mass 1. 
Now compute: 



(1 - 1/5) ( J/#/3) + (1/5)1 



[l-5)(J/m + 5E 



(34) 



( 1 - 1/S )(i-5) + (l/6)(l-6) + (l-l/6)6 
E. 



(j/m+E 



This completes the proof. 



□ 



The following proposition shows that applying the matrix Sg in all arguments of some 
multilinear functional forces the outputs to be close to each other. 

Proposition 25. Let A be a hypermatrix of format n\ x ri2 x • • • x n p with entries in [0, 1], 
and take 5 := e/(2p). Now the matrix A' defined by 

(35) A' (W i} ) := A (®SbxW) 

satisfies \A'(x) — A'(x')\ < e for any two stochastic tensors x and x' . 

Proof. Let m := A (®( J/rii)), the mean of the entries of A. We show that for any stochastic 
vectors x^\ 



(36) 



A' (W i} ) - m < e/2. 



Since any other stochastic tensor is a convex combination of stochastic pure tensors, it will 
follow that |^4'(x) — m\ < e/2. Then the triangle inequality will yield the result. 

It remains to show that A' applied to a stochastic pure tensor gives a value within e/2 
of m. 



(37) 



= A(®[(l-6)(J/m) + 6I\x®} 
\l-6)(J/m) + 6x®]) 



A 



Each argument of A — that is, factor in the tensor product — is a convex combination of two 
stochastic vectors. Expanding out by multilinearity, we get convex combination with 2 P 
points. Each point — let's call the k th one yu — is an element of [0, 1] since it is some weighted 
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average of the entries of A. This convex combination has positive Hk such that ^ Hk = 1 
and 



(38) 



A' ( ®x w 



2 p 

k=l 



Taking the first vector in each argument of A in (37), we see that y\ = A (<g)(J/nj)) = m, 
the average entry of A. Thus, the first term in the convex combination is HiUi = (1 — 5) p m. 

The inequality (1 — s/2) < (1 — 5) p allows us to split up the first term. Let ho := 1 — e/2 
and h'i := Hi — Ho > 0. We have HiVi = (a*o + Mi)yi = (1 — e/2)m + H\ m - After splitting 
this term, the original convex combination becomes 



(39) 



A' ( ®x w 



2'< 



(1 - e/2)m + jt*im + ^ ^ fc y fc . 

fc=2 



Let e denote the weighted average of the terms after the first. We may rewrite the convex 
combination 



(40) 

Since m, e G [0, 1] 
(41) 
and 
(42) 

so we are done. 



A' (W^) = (1 - e/2)m + (e/2)e. 



m - e/2 < (1 - e/2)m < A' (^(gix 



< (1 - e/2)m + e/2 < m + e/2, 
<e/2, 



□ 



These results are now strong enough to prove the approximation lemma 19 



Proof. The number a is p-cooperative, so it comes with some p-dimensional nonnegative 
rational hypermatrix A and positive vectors (3^,(3^, . . . ,/3^ of mass one, satisfying (in 
particular) A ((g>/3^) = a. The refinement lemma allows us to assume that each /3W satisfies 



(43) 



mm p - > ttt . 



If one of the fi^ fails to satisfy this hypothesis, we may replace it with the refinement given 
by the lemma, and duplicate the corresponding slices in A to match. 

each Sj 1 ^ 1 ^ is a stochastic vector. 



Now, by Proposition 



24 



Let A' be as in Proposition 25 It will still be a rational hypermatrix if we pick e to be 
rational. We know 



(44) 



A' (^ST 1 ^ 



a. 



On the other hand, any entry of the matrix A' is given by evaluation at a tensor product 
of basis vectors. Both a and any entry of A' can be found by evaluating A' at a stochastic 
tensor. Thus, by Proposition 25 , each entry of A' is within e of a. □ 
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2.6 Higher-order robustness 



We complete the proof of our main theorem. 

Proposition 26. If r > p/2, then p people with finite random sources may r-robustly 
simulate only finite Q-random sources. 

Proof. Consider an r-robust simulation. Imagine that Alice has access to half of the random 
sources (say, rounded up), and Bob has access to the remaining sources. Because Alice and 
Bob have access to no more than r random sources, neither knows anything about the 
source being simulated. But this is precisely the two-player case of ordinary 1-robustness, 
so the source being simulated is restricted to rational probabilities. □ 

In the constructive direction, we show the following: 

Proposition 27. If r < p/2, then p people with full- strength finite Q-random sources may 
r-robustly simulate a full-strength finite Q-random source. 

The proof is to simulate simulations (and simulate simulations of simulations, etc.). We 
treat the p = 3 case of our 1-robust simulation protocol as a black box. If a majority of 
the random sources put into it are reliable, the one that comes out (the simulated random 
source) will also be reliable. This viewpoint leads us into a discussion of majority gates. 

Definition 28. A p-ary majority gate is a logic gate that computes a boolean function 
returning 1 if a majority of its inputs are 1 and if a majority of its inputs are 0. (The 
output doesn't matter when there are ties.) 

Lemma 29 (Bureaucracy). A p-ary majority gate may be built by wiring together ternary 
majority gates. 

The proof of the bureaucracy lemma is a straightforward application of the probabilistic 
method, and is covered in detail in Appendix [Bj Now, by iterating simulations of simulations 
according to the wiring provided by the bureaucracy lemma, we can overcome any minority 
of malfunctioning sources. So the bureaucracy lemma, together with the "black box" of 



our three-player construction, implies Proposition 27 

Now we're finally ready to prove our main result. The statement here is equivalent to 
the ones in the abstract and in Section [l.2| but uses the language of robustness. 



Theorem 30. Say p people have full-strength finite random sources. If p/2 < r < p, the 
people may r-robustly simulate any finite Q-random source and nothing better; if 1 < r < 
p/2, they may r-robustly simulate any finite Q-random source and nothing better. 



Proof. The claim simply combines Proposition 11 Proposition 26 Theorem 30 and Propo 



sitionED □ 



3 Application to Secure Multiparty Computation and Men- 
tal Poker 

We begin with the classical case: Three gentlemen wish to play poker, but they live far 
away from each other, so playing with actual cards is out of the question. They could 
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play online poker, in which another party (the remotely hosted poker program) acts as a 
dealer and moderator, keeping track of the cards in each player's hand, in the deck, etc., 
and giving each player exactly the information he would receive in a physical game. But 
this solution require our gentlemen to trust the moderator! If they fear the moderator may 
favor one of them, or if they wish to keep their game and its outcome private, they need 
another system. 

A better solution is to use secure multiparty computation. Our gentlemen work to 
simulate a moderator in a way that keeps the outcomes of the moderator's computations 
completely hidden from each of them. An unconditionally-secure method of playing poker 



(and running other games/computations) "over the phone" has been described in GM82| . 

In the classical case, the players may perform finite computations, communicate along 
private channels, and query full-strength finitary private random sources. The simulated 
moderator has the almost same abilities as the players, except that its private random source 
is limited to rational probabilities. The work of this paper expands this to all algebraic 
probabilities, and shows that one can do no better. 

To see how this may be useful, think back to our poker players. They may be preparing 
for a poker tournament, and they may want to simulate opponents who employ certain bet- 
ting strategies. But poker is a complicated multiplayer game (in the sense of economic game 
theory), and Nash equilibria will occur at mixed strategies with algebraic coefficients 
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A Relevant Constructions in Algebraic Geometry 

Comprehensive introductions to these constructions may be found in |Har92| Lec. 14, 15, 



16] and GKZ94 Ch. 1]. 



A.l Tangency and projective duality 

Let k be an algebraically closed field of characteristic zero. (For our purposes, it would 
suffice to take k = C, but the methods are completely general.) Let X C P n be a projective 
variety over k. A hyperplane H £ (P n )* is (algebraically) tangent to X at a point z if every 
regular function on an affine neighborhood of z vanishing on H lies in the square of the 
maximal ideal of the local ring Ox,z ■ 

This notion of tangency agrees with geometric intuition on the set of smooth points 
X STa of X. To get a more complete geometric picture, we define an incidence variety: 



(45) W x ■= {(z, H) : z £ X sm , H is tangent to Iatz}CP n x (P n )*. 

The bar denotes Zariski closure. Membership in Wx may be thought of as extending the 
notion of tangency at a smooth point to include singular points "by continuity." 

The image of a projective variety under a regular map is Zariski closed, so the projection 
of Wx onto the second coordinate is a variety, called the dual variety and denoted X v . 

The following theorem explains why projective duality is called "duality." We omit the 
proof; see [Har92[ p. 208-209] or [GKZ94[ p. 27-30]. 



The appearance of algebraic (but not transcendental) coefficients in mixed strategies is explained by R. 



J. Lipton and E. Markakis here LM04 
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Theorem 31 (Biduality theorem). Let X be a variety in P n . For z G P n , let z** be 

the image under the natural isomorphism to (p n )**. Then, (z,H) \— > (H,z**) defines an 
isomorphism Wx — Wx y ■ (Specializing to the case when (z,H) and (H,z** are smooth 
points X and X y , respectively, this says that H is tangent to X at z if and only if z is 
tangent to X y at H.) Moreover, z t-t z** defines an isomorphism X = (X v ) v . 



A. 2 Segre embeddings and their duals 

Consider the natural map k ni x • • • x k n p — > k ni <g> ■ • • ® k n p = k ni "' n p given by the tensor 
product. Under this map, the fiber of a line through the origin is a tuple of lines through 
the origin. Thus, this map induces an embedding P ni_1 x • • • x W n p~ l pu-n p -l_ The 
map is known as the Segre embedding, and the image is known as the Segre variety X of 
format n\ x ■ ■ • x n p . It is, in other words, the pure tensors considered as a subvariety of all 
tensors, up to constant multiples. This variety is cut out by the determinants of the 2x2 
subblocks. Also, it is smooth because it is isomorphic as a variety to P ni_1 x • • • x p n p _1 . 
When a projective variety is defined over the rational numbers j^] its dual is also defined 



over the rationals, by construction GKZ94, p. 14]. In particular, the dual X v of the Segre 
embedding is defined over Q. 

When the dimensions Hi satisfy the "p-gon inequality" 

(46) (n 3 - 1) < ^(n, - 1), 

i¥=3 



Gelfand, Kapranov, and Zelevinsky |GKZ94, p. 446] show that the dual of the Segre 



variety is a hypersurface. The polynomial for this hypersurface is irreducible, has integer 
coefficients, and is known as the hyperdeterminant of format n\ X • • • x n p . It is denoted by 
Det. When p = 2 and n\ = ri2, the hyperdeterminant is the same as the determinant of a 



square matrix |GKZ94 p. 36]. 

Gelfand, Kapranov, and Zelevinsky provide us with two equivalent definitions of degen- 
eracy. 

Definition 32. A p-linear form T is said to be degenerate if either of the following 
equivalent conditions holds: 

• there exist nonzero vectors f3^ so that, for any < j < p, 

(47) T (pV>, . . . ,^- 1 \x {i \^ +1 \ . . . ,/3 (p) ) = for all x® ; 

• there exist nonzero vectors ft® so that T vanishes at ®ft® along with every partial 
derivative with respect to an entry of some ft®: 

dT 

(48) T and — jtt vanish at 0ft®. 

dftf 

The dual of the Segre variety is useful to us because it can tell whether a multilinear form 
is degenerate. 



'That is, it is the zero set of a system of homogeneous rational polynomials. 
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Theorem 33 (Gelfand, Kapranov, and Zelevinsky). For any format, the dual X y of the 
Segre embedding is defined over Q and satisfies, for every multilinear form T of that format, 



(49) 



Tel 



T is degenerate. 



When the format satisfies the "p-gon inequality," X y is defined by a polynomial in the 
entries of T with coefficients in TL, called the hyperdeterminant: 



B Proof of the bureaucracy lemma 

Here, we show that a p-ary majority gate may be built out of ternary majority gates. 

Proof. We prove the existence of the majority gate by showing that a random gate built in 
a certain way has a positive probability of being a majority gate. For simplicity, we assume 
p is odd. The even case follows from the odd case: A (2k — l)-ary majority gate functions 
as a (2/c)-ary majority gate if we simply ignore one of the inputs. 

Make a balanced ternary tree of depth n out of 3° + 3 1 + • • • + 3™ _1 ternary majority 
gates, where n is to be specified later. Let S be the set of possible assignments of p colors 
(one for each input slot) to the 3 n leaves of the tree. Each s G S defines a p-ary gate; we 
prove that, for n large enough, a positive fraction of these are majority gates. Let T be the 
set of p-tuples of input values with exactly coordinates equal to 1. For (s, t) G S x T, 
let x(s,i) De the bit returned by the gate defined by s on input t. 

If each input of a 3-ary majority gate is chosen to be 1 with probability x, and with 
probability 1 — x, we may compute the probability f(x) that the resulting bit is 1: 



Fixing the choice of t G T and letting s vary uniformly, it's as if we're assigning 1 or to 



(50) 



Det(T) = T is degenerate. 



(51) 




each leaf with probabilities and , 



respectively. We have 



(52) 




where f n denotes iterated composition. Whenever ^ 



< £ < 1, it's easy to see that / n (£) 
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approaches 1 as n becomes large 



Choose n so that f n ( 2±i ) > 1 - Now, 



\S\ 



ses teT 



E 151 E 

ieT 1 1 ses 



(53) 



= £r 

= \T\f 
> \T\(l 



n fP+ 1 



P+ 1 

2 
1 

" W\ 



\T\ - 1. 



This is an average over S, and it follows that there must be some particular so G S so that 
the inner sum YlteT x( s o> t) is greater than |T| — 1. But that sum clearly takes an integer 
value between and |T|, so it must take the value \T\, and we have x( s o,t) = 1 for every 
t £ T. That is, the gate specified by so returns 1 whenever exactly 2^ of the inputs are 1. 
By construction, setting more inputs to 1 will not alter this outcome, so the gate returns 1 
whenever a majority of the inputs are 1. By the symmetry between 1 and in each ternary 
component, the gate returns whenever a majority of the inputs are 0. Thus, so defines a 
p-aij majority gate. □ 



We illustrate a 5-ary majority gate of the type obtained in the bureaucracy lemma: 




C Simulating infinite random sources 

Say Alice and Bob are both equipped with private, full-strength random sources; they wish 
to simulate a private, full-strength random source for some other player. 

For technical reasons, we will take "full-strength random source" to mean "a random 
source capable of sampling from any Haar measure." This restriction is mostly to avoid 
venturing into the wilds of set theory. After all, the pathologies available to probability 

12 In fact, the convergence is very fast. While we're ignoring computational complexity questions in this 
paper, more careful bookkeeping shows that this proof gives a polynomial bound (in p) on the size of the 
tree. 
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spaces closely reflect the chosen set-theoretic axioms. We call these restricted spaces "Haar 
spaces." 

Definition 34. A probability space P is a Haar space if there exists some compact topo- 
logical group G, equipped with its normalized Haar measure, admitting a measure-preserving 
map to P. 

Remark 35. The following probability spaces are all Haar spaces: any continuous dis- 
tribution on the real line; any standard probability space in the sense of Rokhlin Rok^9\ ; 
any Borel space or Borel measure on a Polish space; any finite probability space; arbitrary 
products of the above. 

The following construction is an easy generalization of the classical construction given in 
Proposition [2] 

Proposition 36. Let G be a compact group with normalized Haar measure. Now, p players 
equipped with private sources that sample from G may (p — 1) -robustly simulate an source 
that samples from G. 

Proof. We provide a direct construction. The i th player uses the Haar measure to pick 
g% 6 G at random. The output of the simulated source will be the product g\g2 ■ ■ ■ g p . 
It follows from the invariance of the Haar measure that any p-subset of 

(54) {91,92, ■■■,9p,9l92---g P } 

is independent! Thus, this is a {p — l)-robust simulation. □ 

Corollary 37. If p players are equipped with private, full-strength random sources, they 
may (p — 1) -robustly simulate may simulate a private, full-strength random source for some 
other player. 



Proof. By Proposition 36 , they may simulate a private random source capable of sampling 
from any compact group with Haar measure. But such a random source may also sample 
from all quotients of such spaces. □ 

Corollary 38. If p players are equipped with private random sources capable of sampling 
from the unit interval, they may (p — 1) -robustly simulate a random source capable of sam- 
pling from any standard probability space — in particular, any finite probability space. 



Proof. Immediate from Proposition 36 □ 
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